{ config, lib, pkgs, ... }: let inherit (lib) mkIf mkDefault; systemd-services-hardened = fetchGit { url = "https://github.com/wallago/nix-system-services-hardened.git"; ref = "main"; rev = "3c6c8738868277aa145e0f17c645172b1c9d81e3"; }; fromHardened = a: map (f: "${systemd-services-hardened}/services/${f}.nix") a; in { imports = [./boot.nix ./ssh.nix] ++ fromHardened [ "accounts-daemon" "getty" # "nix-daemon" # TODO: breaks cgroups, ... "nscd" "rescue" "sshd" "systemd-machined" "systemd-rfkill" "systemd-udevd" ]; networking.modemmanager.enable = false; security = lib.attrsets.recursiveUpdate { # doas.enable = true; polkit.enable = true; sudo-rs.enable = false; sudo.enable = false; } { sudo-rs.execWheelOnly = true; pam.loginLimits = [ { domain = "*"; # Applies to all users/sessions type = "-"; # Set both soft and hard limits item = "core"; # The soft/hard limit item value = "0"; # Core dumps size is limited to 0 (effectively disabled) } ]; # pam.sshAgentAuth.enable = true; polkit.extraConfig = '' polkit.addRule(function(action, subject) { if ( subject.isInGroup("users") && ( action.id == "org.freedesktop.login1.reboot" || action.id == "org.freedesktop.login1.reboot-multiple-sessions" || action.id == "org.freedesktop.login1.power-off" || action.id == "org.freedesktop.login1.power-off-multiple-sessions" ) ) { return polkit.Result.YES; } }); ''; }; environment.systemPackages = with pkgs; [ (mkIf config.security.doas.enable doas-sudo-shim) # if doas install doas sudo shim ]; systemd.coredump.enable = false; services = { chrony = { enable = true; enableNTS = true; servers = [ "time.cloudflare.com iburst nts" "ntppool1.time.nl iburst nts" "nts.netnod.se iburst nts" "ptbtime1.ptb.de iburst nts" "time.dfm.dk iburst nts" "time.cifelli.xyz iburst nts" ]; }; dbus.implementation = "broker"; }; nix.settings.allowed-users = mkDefault ["@users"]; }